More here:
* weex
https://aur.archlinux.org/cgit/aur.git/commit/?h=weex&id=a0c039fbdce60a37c5db30004744147020dd0649
* nikki
https://aur.archlinux.org/cgit/aur.git/commit/?h=nikki&id=08c13fe0214275c3e47bf21923376b1fce1521e3
Both use js-digest instead of atomic-lockfile. All contributor email
addresses in the PKGBUILD were also replaced with fake Gmail addresses
([email protected] and [email protected] respectively).
I've got 2 "AUR Package Update" emails each but only one malicious
commit, so it looks like there is a script which will periodically
rewrite git history.